Should You Disinfect?

Lately we have come across a few cases where the use of disinfect as an action for virus infections causes problems with MPP. Tangentially related, we are coming across issues with clamav or clamd that make it dangerous to use discard with these scanners if you are not careful. I want to make you aware of the particulars of these issues.

First of all, using disinfect as an action for email virus scanners is not very useful since the majority of email borne viruses are worms. Since a worm generated email only contains the worm itself there is nothing to disinfect. Disinfect presupposes that there is a real file that has been infected and that disinfecting will help use the file again. Fortunately virus scanners have become defacto standards on email servers so the incidence of actual email borne viruses has become statistically low, especially when compared against the prevalence of spam and phishing emails.

For a while customers were asking for MPP to have different actions for worms and real viruses but since we use so many different scanners and they all report differently, combined with the fact that both worms and email borne viruses have been largely held in check, we opted not to do this. Additionally, and this leads to the next point, spam scanners started detecting and reporting email worms while virus scanners, and clamav in particular, have started to report phishing emails as viruses.

While Clam’s detection of phishing emails sounded like a great idea it has become problematic in practice. We are getting many reports of false positives from ClamAV, something unheard of in the past, and it is no surprise that all of the false positives are from phishing signatures. Phishing signatures can be disabled by setting “PhishingScanURLs no” in the clamd config file and I highly recommend avoiding Clam’s experiment in your production network.

One important point is that disinfect is not supported with either the clamd or clamav scanner within MPP.

My recommendation is that if you really care about not losing legitimate email then you must quarantine. My recommendation is to discard virus infected emails altogether as the incidence of false positives without clamav phisihing signatures is minute with the current antivirus technology.

MPPv4 - Coolest MPP Yet

With the release of MPPv4 we have the coolest MPP version yet. I am going to go into the nitty-gritty of new features in subsequent posts but I will highlight the coolness here:

• Threading Redesign Though this sounds arcane and technical…it is The result for you is that our SMTP scalability is greatly improved.
• Content Filter Redesign We completely redid the content filter technology to support international character sets, new regular expression technologies, per-expression actions, ability to create complex expressions and shared memory resources between policy groups. We have not had a chance to integrate all of this into the GUI yet but in time we will. All of the capabilities are there, however, and it is quite cool.
• Sender Policy Framework SPF is a methodology to verify the authority of an SMTP server to send on behalf of a domain.
• Spam Scoring Enhancements MPP has a custom spam scoring algorithm to create composite scores of multiple MPP tests. In MPPv4 we have added SPF results as well as content filter expressions. This is very cool because now with MPP custom spam scoring you can make sure that your important messages will never be marked as spam by a content scanner. Think of this as content based white lists.
• Redesigned GUI MPP Manger has been reorganized to highlight functionality over features and simplicity over options.
• New Documentation MPP documentation has been rewritten from the ground up and divided into three documents - an install guide, a configuration guide and an archive and quarantine management guide. The documentation has been written based on the GUI and functionality as opposed to being focused on configuration file options.
• More…. Bugs have been fixed, small things added like new macros for bodystripping and many many more things that I will discuss in future posts.

There’s never been a better time to use MPP and I hope you will check out MPPv4.

• Recent Posts

  • MPP 4.4.4 Released
  • MPP Manager Release
  • Fix for Non-English Character Searches
  • Custom Spam Scoring Enhancements
  • Enhanced Alias Support for Spam Quarnatine Management

• Categories

  • MPP Releases and Fixes
  • News and Tidbits
  • Opinions on Email Security
  • Podcasts
  • Spam Wisdom
  • Uncategorized

• Archives

  • November 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006

• Links

• Meta

  • Register
  • Login
  • WordPress
  • XHTML